1. Securing Applications with Oracle Platform Security Services
  2. Oracle Fusion Middleware Audit Framework Reference

C Oracle Fusion Middleware Audit Framework Reference

This appendix describes how to use Oracle Fusion Middleware Audit Framework to create and develop reports from your audit data.

This appendix includes the following topics:

This appendix covers reports based on the report template model of Oracle Business Intelligence Publisher 10g. For information about a different approach based on the audit dynamic model, see Using Audit Analysis and Reporting.

Audit Events

The following sections describe the components, the events, and the attributes that you use with audit:

What Components Can Be Audited?

The Audit Framework provides the foundation to audit Oracle Fusion Middleware components and applications, such as the following:

  • OPSS

  • Oracle Web Services Manager

  • Oracle Directory Integration Platform

  • Oracle HTTP Server

  • Oracle Internet Directory

This appendix provides audit information for events generated by OPSS only. For information about audit in other components and applications, refer to the respective administration guides.

System Categories and Events

The Audit Framework allows you to audit events in several core platform security services, including:

  • System events for OPSS services

  • Core OPSS

  • Identity Governance Services

  • Identity virtualization

The following tables list specific events:

Table C-1 System Categories and Events

Category Event Description

UserSession

UserLogin

UserLogins

In applications with multiple tiers, inner tiers often use some special user ID to log in to the next tier. These logins are considered in the separate Internal Logins category. The User Login/Logout events only records actions by regular users.

UserLogout

UserLogouts

An end user or administrator logs out.

Authentication

Similar to UserLogin/InternalLogin, except that no session is created, so there is no corresponding UserLogout/InternalLogout. This event is usually generated by lower layers, while login is generated by higher layers.

InternalLogin

An internal login between two tiers.

InternalLogout

An internal logout between two tiers.

QuerySession

Query the attributes within a session object for a logged-in user.

ModifySession

Modify the attributes within a session object for a logged-in user.

Authorization

CheckAuthorization

Set of authorization events.

Data Access

CreateDataItem

Create a data item

DeleteDataItem

Delete a data item.

QueryDataItemAttributes

Query the attributes associated with a data item.

ModifyDataItemAttributes

Modify the attributes associated with a data item, for example access.

AccountManagement

ChangePassword

CreateAccount

Create a user, group, or any principal account.

DeleteAccount

Delete an account for a user, group, or other principal.

EnableAccount

Enable an account for a user, group, or other principal

DisableAccount

Disable an account for a user, group, or other principal.

QueryAccount

Query the user's account.

ModifyAccount

Modify the account attributes.

ServiceManagement

InstallService

Install or upgrade a service or an application.

RemoveService

Uninstall a service or an application.

QueryServiceConfig

Query the configuration of a service or application.

ModifyServiceConfig

Modify the configuration of a service or application.

DisableService

Shut down or disable a service or application.

EnableService

Start up or enable a service or application.

ServiceUtilize

InvokeService

Call a service or an application.

TerminateService

Terminate a service or an application, either at the request of the application itself or by intervention of the domain in response to user or administrative action.

QueryProcessContext

Query the attributes associated with the current processing context.

ModifyProcessContext

Modify the attributes associated with the current processing context.

PeerAssocManagement

CreatePeerAssoc

Creates a communication channel between system components.

TerminatePeerAssoc

Terminates a communication channel between system components.

QueryAssocContext

Query attributes associated with a communication channel between system components.

ModifyAssocContext

Modify attributes associated with a communication channel between system components

DataViaAssociate

NA

a communication channel between system components

ReceiveDataViaAssoc

Receive data from an associated peer.

SendDataViaAssoc

Send data to an associated peer.

DataItemContentAccess

CreateDataItemAssoc

Open a data item, for example a file.

TerminateDataItemAssoc

Close a data item, for example a file.

QueryDataItemAssocContext

Query attributes of a data item, for example mode of access, size limits, access paths, and so on.

ModifyDataItemAssocContext

Modify attributes of a data item.

QueryDataItemContents

Read the data item.

ModifyDataItemContent

Write or append to the data item.

Exceptional

StartSystem

Boot a system host.

ShutdownSystem

Shut down the system.

ResourceExhausted

Resources like data storage or communication endpoints have been exhausted.

ResourceCorrupted

Resources like data storage have integrity failures.

BackupDatastore

Make a backup copy of a data store.

RecoverDatastore

Recover a data store from a backup copy.

AuditService

ConfigureAuditPolicy

Modify parameters that control audit, such as audit event filtering.

ConfigureAuditRepository

Configure the audit storage type.

Table C-2 Core OPSS Events

Event Category Event Type Attributes used by Event

Authorization

CheckPermission

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject, PermissionAction, PermissionTarget, PermissionClass

CheckSubject

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, Subject

IsAccessAllowed

NA

CredentialManagement

CreateCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

DeleteCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

AccessCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

ModifyCredential

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, mapName, key, CodeSource, Principals, InitiatorGUID

PolicyManagement

PolicyGrant

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope

PolicyRevoke

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, PermissionAction, PermissionTarget, PermissionClass, PermissionScope

RoleManagement

RoleMembershipAdd

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope

RoleMembershipRemove

ComponentType, InstanceId, HostId, HostNwaddr, ModuleId, ProcessId, OracleHome, HomeInstance, ECID, RID, ContextFields, SessionId, TargetComponentType, ApplicationName, EventType, EventCategory, EventStatus, TstzOriginating, ThreadId, ComponentName, Initiator, MessageText, FailureCode, RemoteIP, Target, Resource, Roles, CodeSource, Principals, InitiatorGUID, ApplicationRole, EnterpriseRoles, PermissionScope

RolePolicyManagement

RolePolicyCreation

CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld

,RolePolicyModification

CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld

RolePolicyDeletion

CodeSource, Principals, InitiatorGUID, InitiatorDN, ManagedApplication, PolicyName, PolicyApplicationRolePrincipals, RoleMembers, PolicyRules, ResourceNames, ResourceNameExpressions, PolicyApplicationRolePrincipalsOld, RoleMembersOld, PolicyRulesOld, ResourceNamesOld, ResourceNameExpressionsOld

ResourceManagement

ResourceCreation

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceAttributesOld, SqlPredicate, SqlPredicateOld, XmlExpression, XmlExpressionOld,

ResourceDeletion

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld ResourceAttributesOld, SqlPredicate, SqlPredicateOld, XmlExpression, XmlExpressionOld,

ResourceModification

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, ResName, ResTypeName, PolicyDomainName, ResourceAttributes, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceAttributesOld, SqlPredicate SqlPredicateOld, XmlExpression, XmlExpressionOld,

KeyStoreManagement

CreateKeyStore

stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID

DeleteKeyStore

stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID

ModifyKeyStore

stripeName, keystoreName, alias, operation, CodeSource, Principals, InitiatorGUID

PermissionSet Management

PermissionSetCreation

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld

PermissionSetDeletion

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld

PermissionSetModification

InitiatorDN, GUID, CodeSource, Principals, Permission, PermissionClass, ManagedApplication, PermissionSetName, PolicyDomainName, ResourceActions, Cascade, ModifiedAttributeName, ModifiedAttributeValue, ModifiedAttributeValueOld, ResourceActionsOld

Table C-3 Identity Governance Service Events

Event Category Event Type Attributes used by Event

UserSession

Authentication

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

DataAccess

CreateDataItem

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

DeleteDataItem

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

ModifyDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

Table C-4 Identity Virtualization Library Events

Event Category Eventy Type Attributes used by Event

LDAPEntryAccess

Add

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource Roles, SessionId, Target, ThreadId, AuthenticationMethod

Delete

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

Modify

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

Rename

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

UserSession

UserLogin.FAILURESONLY

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

DataAccess

QueryDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resourc,e Roles, SessionId, Target, ThreadId, AuthenticationMethod

ModifyDataItemAttributes

Initiator, EventType, EventStatus, MessageText, ApplicationName, AuditService:TransactionId, ContextFields, ECID, EventCategory, FailureCode, MajorVersion, MinorVersion, RID, RemoteIP, Resource, Roles, SessionId, Target, ThreadId, AuthenticationMethod

See also:

Audit Events and Event Categories

OPSS Event Attributes

Table C-5 lists attributes of audit events.

Table C-5 Attributes of Audit Events

Namespace Attribute Name Description

common

ApplicationName

The Java EE application name.

AuditUser

Identifies the user name of the user who is running the application.

ComponentData

Where component-specific data are stored when there is no component-specific table in the schema.

ComponentName

The name of this component.

ComponentType

Type of the component.

ContextFields

This attribute contains the context fields extracted from the dms context.

DomainName

The WebLogic Server domain.

ECID

Identifies the thread of execution in which the originating component participates.

EventCategory

The category of the audit event.

EventStatus

The outcome of the audit event - success or failure.

EventType

The type of the audit event. Use the listAuditEvents command to list out all the events.

FailureCode

The error code in case EventStatus = failure

HomeInstance

The ORACLE_INSTANCE directory of the component.

HostId

DN of originating host.

HostNwaddr

The IP or other network address of originating host.

Initiator

Identifies the UID of the user who is doing the operation.

InstanceId

The name of the instance to which this component belongs.

MajorVersion

The major version of a component.

MessageText

Description of the audit event.

MinorVersion

The minor version of a component.

ModuleId

The ID of the module that originated the message. Interpretation is unique within Component ID.

OracleHome

The ORACLE_HOME directory of the component.

ProcessId

The ID of the process that originated the message.

RemoteIP

The IP address of the client initiating this event.

Resource

Identifies a resource being accessed, such as a web page, a file, a directory, a web service, or a document. The resource name combines the host name and the URI.

RID

This is the relationship identifier. Used to provide the full and correct calling relationships between threads and processes.

Roles

The roles that the user was granted at the time of login.

ServerName

The name of the server.

SessionId

The ID of the login session.

Target

Identifies the UID of the user on whom the operation is being done. For example, if Alice changes Bob's password, then Alice is the initiator and Bob is the target.

TargetComponentType

The target component type.

TstzOriginating

Date and time when the audit event was generated.

ThreadId

The ID of the thread that generated this event.

TenantId

The tenant ID.

TransactionId

The transaction ID.

UserTenantId

The user tenant ID.

AuditService

TransactionId

The transaction ID.

UserSession

AuthenticationMethod

The Authentication method, namely password, SSL, Kerberos and so on.

See also:

Audit Attribute Groups

The Audit Schema

Even though prebuilt reports use a subset of event attributes, the Audit Framework allows using the entire event attribute set in your custom reports.

Table C-6 and Table C-7 describe the audit schema. The IAU_ID column in the schema is indexed to enhance query performance.

Table C-6 The Audit Schema

Table Name Column Name Data Type Nullable Column ID

BASE TABLE

IAU_ID

NUMBER

Yes

1

IAU_ORGID

VARCHAR2(255 Bytes)

Yes

2

IAU_COMPONENTID

VARCHAR2(255 Bytes)

Yes

3

IAU_COMPONENTTYPE

VARCHAR2(255 Bytes)

Yes

4

IAU_INSTANCEID

VARCHAR2(255 Bytes)

Yes

5

IAU_HOSTINGCLIENTID

VARCHAR2(255 Bytes)

Yes

6

IAU_HOSTID

VARCHAR2(255 Bytes)

Yes

7

IAU_HOSTNWADDR

VARCHAR2(255 Bytes)

Yes

8

IAU_MODULEID

VARCHAR2(255 Bytes)

Yes

9

IAU_PROCESSID

VARCHAR2(255 Bytes)

Yes

10

IAU_ORACLEHOME

VARCHAR2(255 Bytes)

Yes

11

IAU_HOMEINSTANCE

VARCHAR2(255 Bytes)

Yes

12

IAU_UPSTREAMCOMPONENTID

VARCHAR2(255 Bytes)

Yes

13

IAU_DOWNSTREAMCOMPONENTID

VARCHAR2(255 Bytes)

Yes

14

IAU_ECID

VARCHAR2(255 Bytes)

Yes

15

IAU_RID

VARCHAR2(255 Bytes)

Yes

16

IAU_CONTEXTFIELDS

VARCHAR2(2000 Bytes)

Yes

17

IAU_SESSIONID

VARCHAR2(255 Bytes)

Yes

18

IAU_SECONDARYSESSIONID

VARCHAR2(255 Bytes)

Yes

19

IAU_APPLICATIONNAME

VARCHAR2(255 Bytes)

Yes

20

IAU_TARGETCOMPONENTTYPE

VARCHAR2(255 Bytes)

Yes

21

IAU_EVENTTYPE

VARCHAR2(255 Bytes)

Yes

22

IAU_EVENTCATEGORY

VARCHAR2(255 Bytes)

Yes

23

IAU_EVENTSTATUS

NUMBER

Yes

24

IAU_TSTZORIGINATING

TIMESTAMP(6)

Yes

25

IAU_THREADID

VARCHAR2(255 Bytes)

Yes

26

IAU_COMPONENTNAME

VARCHAR2(255 Bytes)

Yes

27

IAU_INITIATOR

VARCHAR2(255 Bytes)

Yes

28

IAU_MESSAGETEXT

VARCHAR2(255 Bytes)

Yes

29

IAU_FAILURECODE

VARCHAR2(255 Bytes)

Yes

30

IAU_REMOTEIP

VARCHAR2(255 Bytes)

Yes

31

IAU_TARGET

VARCHAR2(255 Bytes)

Yes

32

IAU_RESOURCE

VARCHAR2(255 Bytes)

Yes

33

IAU_ROLES

VARCHAR2(255 Bytes)

Yes

34

IAU_AUTHENTICATIONMETHOD

VARCHAR2(255 Bytes)

Yes

35

IAU_TRANSACTIONID

VARCHAR2(255 Bytes)

Yes

36

IAU_DOMAINNAME

VARCHAR2(255 Bytes)

Yes

37

IAU_COMPONENTDATA

clob

yes

38

DIP

IAU_ID

NUMBER

Yes

1

IAU_TSTZORIGINATING

TIMESTAMP(6)

Yes

2

IAU_EVENTTYPE

VARCHAR2(255 Bytes)

Yes

3

IAU_EVENTCATEGORY

VARCHAR2(255 Bytes)

Yes

4

IAU_ASSOCIATEPROFILENAME

VARCHAR2(512 Bytes)

Yes

5

IAU_PROFILENAME

VARCHAR2(512 Bytes)

Yes

6

IAU_ENTRYDN

VARCHAR2(1024 Bytes)

Yes

7

IAU_PROVEVENT

VARCHAR2(2048 Bytes)

Yes

8

IAU_JOBNAME

VARCHAR2(128 Bytes)

Yes

9

IAU_JOBTYPE

VARCHAR2(128 Bytes)

Yes

10

IAU_DISP_NAME_TL

IAU_LOCALE_STR

VARCHAR2(7 Bytes)

1

IAU_DISP_NAME_KEY

VARCHAR2(255 Bytes)

2

IAU_COMPONENT_TYPE

VARCHAR2(255 Bytes)

3

IAU_DISP_NAME_KEY_TYPE

VARCHAR2(255 Bytes)

4

IAU_DISP_NAME_TRANS

VARCHAR2(4000 Bytes)

Yes

5

IAU_LOCALE_MAP_TL

IAU_LOC_LANG

VARCHAR2(2 Bytes)

Yes

1

IAU_LOC_CNTRY

VARCHAR2(3 Bytes)

Yes

2

IAU_LOC_STR

VARCHAR2(7 Bytes)

Yes

3

Table C-7 shows tables in the audit schema that support the dynamic metadata model.

Table C-7 Additional Audit Schema Tables

Table Name Column Name Data Type

IAU_COMMON

IAU_ID

NUMBER

IAU_OrgId

VARCHAR(255)

IAU_ComponentId

VARCHAR(255)

IAU_ComponentType

VARCHAR(255)

IAU_MajorVersion

VARCHAR(255)

IAU_MinorVersion

VARCHAR(255)

IAU_InstanceId

VARCHAR(255)

IAU_HostingClientId

VARCHAR(255)

IAU_HostId

VARCHAR(255)

IAU_HostNwaddr

VARCHAR(255)

IAU_ModuleId

VARCHAR(255)

IAU_ProcessId

VARCHAR(255)

IAU_OracleHome

VARCHAR(255)

IAU_HomeInstance

VARCHAR(255)

IAU_UpstreamComponentId

VARCHAR(255)

IAU_DownstreamComponentId

VARCHAR(255)

IAU_ECID

VARCHAR(255)

IAU_RID

VARCHAR(255

IAU_ContextFields

VARCHAR(2000)

IAU_SessionId

VARCHAR(255)

IAU_SecondarySessionId

VARCHAR(255)

IAU_ApplicationName

VARCHAR(255)

IAU_TargetComponentType

VARCHAR(255)

IAU_EventType

VARCHAR(255)

IAU_EventCategory

VARCHAR(255)

IAU_EventStatus

NUMBER

IAU_TstzOriginating

TIMESTAMP

IAU_ThreadId

VARCHAR(255)

IAU_ComponentName

VARCHAR(255)

IAU_Initiator

VARCHAR(255)

IAU_MessageText

VARCHAR(2000)

IAU_FailureCode

VARCHAR(255)

IAU_RemoteIP

VARCHAR(255)

IAU_Target

VARCHAR(255)

IAU_Resource

VARCHAR(255)

IAU_Roles

VARCHAR(255)

IAU_AuthenticationMethod

VARCHAR(255)

IAU_TransactionId

VARCHAR(255)

IAU_DomainName

VARCHAR(255)

IAU_ComponentVersion

VARCHAR(255)

IAU_ComponentData

CLOB

IAU_CUSTOM

IAU_ID

NUMBER

IAU_BOOLEAN_001 - IAU_BOOLEAN_050

NUMBER

IAU_INT_001 - IAU_INT_050

NUMBER

IAU_LONG_001 - IAU_LONG_050

NUMBER

IAU_FLOAT_001 - IAU_FLOAT_050

NUMBER

IAU_DOUBLE_001 - IAU_DOUBLE_050

NUMBER

IAU_STRING_001 - IAU_STRING_100

VARCHAR(2048)

IAU_DATETIME_001 - IAU_DATETIME_050

TIMESTAMP

IAU_LONGSTRING_001 - IAU_LONGSTRING_050

CLOB

IAU_BINARY_001 - IAU_BINARY_050

BLOB

IAU_AuditService

IAU_ID

NUMBER

IAU_TransactionId

VARCHAR(255)

IAU_USERSESSION

IAU_ID

NUMBER

IAU_AuthenticationMethod

VARCHAR(255)

Audit Filter Expression Syntax

When you choose a custom audit policy, you have the option to specify a filter expression along with an event.

For example, use the following expression:

Host Id -eq "myhost123"

to enable the audit event for a particular host only. Enter this expression with the setAuditPolicy command.

An expression can be a Boolean or a literal.

<Expr> ::= <BooleanExpression> | <BooleanLiteral>

A boolean expression can use combinations of RelationalExpression with –and, -or, -not and parenthesis. For example, (Host Id -eq "stadl17" -or "). 

<BooleanExpression> ::=  <RelationalExpression>
   | “(" <BooleanExpression> “)"
   | <BooleanExpression> “-and" <BooleanExpression>
   | <BooleanExpression> “-or" <BooleanExpression>
   | “-not" <BooleanExpression>

A relational expression compares an attribute name (on the left hand side) with a literal (on the right-hand side). The literal and the operator must be of the correct data type for the attribute.

<RelationalExpression> ::= <AttributeName> <RelationalOperator> <Literal>

Relational operators are particular to data types:

  • -eq, -ne can be used with all data types

  • -contains, -startswith, -endswith can be only used with strings

  • -contains_case, -startswith_case and -endswith_case are case-sensitive versions of these three functions

  • -lt, -le, -gt, -ge can be used with numeric and datetime

<RelationalOperator> : = "-eq" | "-ne" | "-lt" | "-le" | "-gt" | "-ge"
   | "-contains" | "-contains_case"
   | "-startswith" | "-startswith_case"
   | "-endswith" | "-endswith_case"

The rules for literals are:

  • Boolean literals are true or false.

  • Date time literals must be enclosed in double quotes and can have different formats. For example, “June 25, 2016 2:00 pm", “06/25/2016 2:00 pm" are both valid.

  • String literals are quotes, back-slash can be used to escape an embedded double quote.

  • Numeric literals are in their usual format.

For example:

<Literal> ::=  <NumericLiteral> | <BooleanLiteral> | <DateTimeLiteral> | <StringLiteral><BooleanLiteral> ::= "true" | "false"

Naming and Logging Audit Files

In Java EE applications, the audit files names follow the pattern audit*.log. The current file name is audit.log.

When that file fills up (it reaches the configured maximum audit file size which is 100MB), it is renamed to audit<n>.log and records are written to a new audit.log. So the current logs are written to audit.log and old logs are found in audit1.log, audit2.log, and so on.

In Java SE applications and system components, the audit log files names follow the pattern hostname_pid_audit*.log and these files follow a cycle similar to that of log files in Java EE applications. The current log file name is host_pid_audit.log. Note that the process ID is embedded in log file names, as in host_12345_audit.log.

After you configure an audit store, the audit loader reads these files and transfers the records to the database. After transferring a log file (such as audit2.log or host_11925_audit1.log), it deletes the log file, but it never deletes the current log files audit.log or host_pid_audit.log.

For applications with audit definitions in the dynamic model, the file names follow the format audit_major_minor.log. Note that the file name has embedded the version number as in audit_1_2.log.

Log files follow the W3C extended logging format where:

  • #Fields specifies all the fields in the rest of the file.

  • #Remark specifies common attributes.

  • Attributes are separated by spaces and missing attributes are indicated by a dash.